In some situations, you need to prevent Layer 2 (L2) connectivity
between end devices on a switch without the placement of the devices in
different IP subnets. This setup prevents the waste of IP addresses. Private
VLANs (PVLANs) allow the isolation at Layer 2 of devices in the same IP subnet.
You can restrict some ports on the switch to reach only specific ports that
have a default gateway, backup server, or Cisco LocalDirector attached.

This document describes the procedure to configure isolated PVLANs on
Cisco Catalyst switches with either Catalyst OS (CatOS) or Cisco IOS®
Software.

This document assumes that you have a network that already exists and
are able to establish connectivity among the various ports for addition to a
PVLAN. If you have multiple switches, make sure that the trunk between the
switches functions correctly and permits the PVLANs on the trunk.

Note: Some switches (as specified in the
Private
VLAN Catalyst Switch Support Matrix ) currently support only the PVLAN
Edge feature. The term "protected ports" also refers to this feature. PVLAN
Edge ports have a restriction that prevents communication with other protected
ports on the same switch. Protected ports on separate switches, however, can
communicate with each other. Do not confuse this feature with the normal PVLAN
configurations that this document shows. For more information on protected
ports, refer to the Configuring
Port Security section of the document
Configuring
Port-Based Traffic Control.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

A PVLAN is a VLAN with configuration for Layer 2 isolation from other
ports within the same broadcast domain or subnet. You can assign a specific set
of ports within a PVLAN and thereby control access among the ports at Layer 2.
You can configure PVLANs and normal VLANs on the same switch.

There are three types of PVLAN ports: promiscuous, isolated, and
community.

A promiscuous port communicates with all other PVLAN ports. The
promiscuous port is the port that you typically use to communicate with
external routers, LocalDirectors, network management devices, backup servers,
administrative workstations, and other devices. On some switches, the port to
the route module (for example, Multilayer Switch Feature Card [MSFC]) needs to
be promiscuous.

An isolated port has complete Layer 2 separation from other ports
within the same PVLAN. This separation includes broadcasts, and the only
exception is the promiscuous port. A privacy grant at the Layer 2 level occurs
with the block of outgoing traffic to all isolated ports. Traffic that comes
from an isolated port forwards to all promiscuous ports only.

Community ports can communicate with each other and with the
promiscuous ports. These ports have Layer 2 isolation from all other ports in
other communities, or isolated ports within the PVLAN. Broadcasts propagate
only between associated community ports and the promiscuous port.

You can only designate a VLAN as a PVLAN if that VLAN has no current
access port assignments. Remove any ports in that VLAN before you make the VLAN
a PVLAN.

Do not configure PVLAN ports as EtherChannels.

Due to hardware limitations, the Catalyst 6500/6000 Fast Ethernet
switch modules restrict the configuration of an isolated or community VLAN port
when one port within the same COIL application-specific integrated circuit
(ASIC) is one of these:

A trunk

A Switched Port Analyzer (SPAN) destination

A promiscuous PVLAN port

This table indicates the range of ports that belong to the same ASIC
on Catalyst 6500/6000 FastEthernet modules:

Module

Ports by ASIC

WS-X6224-100FX-MT, WS-X6248-RJ-45,
WS-X6248-TEL

Ports 1-12, 13-24, 25-36, 37-48

WS-X6024-10FL-MT

Ports 1-12, 13-24

WS-X6548-RJ-45, WS-X6548-RJ-21

Ports 1-48

The show pvlan capability command (CatOS)
also indicates if you can make a port a PVLAN port. There is no equivalent
command in Cisco IOS Software.

If you delete a VLAN that you use in the PVLAN configuration, the
ports that associate with the VLAN become inactive.

Configure Layer 3 (L3) VLAN interfaces only for the primary VLANs.
VLAN interfaces for isolated and community VLANs are inactive while the VLAN
has an isolated or community VLAN configuration. For more information, refer to
Configuring
Private VLANs.

You can extend PVLANs across switches with the use of trunks. Trunk
ports carry traffic from regular VLANs and also from primary, isolated, and
community VLANs. Cisco recommends the use of standard trunk ports if both
switches that undergo trunking support PVLANs.

Note: You must manually enter the same PVLAN configuration on every
switch with involvement because VTP in
transparent mode does not propagate this information.

In this scenario, the devices in the isolated VLAN ("101") have a
restriction from communication at Layer 2 with one another. However, the
devices can connect to the Internet. In addition, port "Gig 3/26" on the 4006
has the promiscuous designation. This optional configuration allows a device on
GigabitEthernet 3/26 to connect to all devices in the isolated VLAN. This
configuration also allows, for example, the backup of the data from all the
PVLAN host devices to an administration workstation. Other uses for promiscuous
ports include connection to an external router, LocalDirector, network
management device, and other devices.

Perform these steps to create the primary and secondary VLANs, as well
as to bind the various ports to these VLANs. The steps include examples for
both CatOS and Cisco IOS Software. Issue the appropriate command set for your
OS installation.

Switch_CatOS> (enable) set vlan secondary_vlan_id
pvlan-type isolated name isolated_pvlan
!--- Note: This command should be on one line.
VTP advertisements transmitting temporarily stopped,
and will resume after the command finishes.
Vlan 101 configuration successful

Switch_CatOS> (enable) set pvlan mapping primary_vlan_id
secondary_vlan_id mod/port!--- Note: This command should be on one line.
Successfully set mapping between 100 and 101 on 3/26

Note: For Catalyst 6500/6000 when the Supervisor Engine runs CatOS as
the system software, the MSFC port on the Supervisor Engine (15/1 or 16/1)
should be promiscuous if you wish to Layer 3 switch between the VLANs.

As with regular VLANs, PVLANs can span multiple switches. A trunk port
carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk
port deals with the private VLAN as any other VLAN. A feature of PVLANs across
multiple switches is that traffic from an isolated port in one switch does not
reach an isolated port on another switch.

Configure PVLANs on all intermediate devices, which includes devices
that have no PVLAN ports, in order to maintain the security of your PVLAN
configuration and avoid other use of the VLANs configured as PVLANs.

Trunk ports carry traffic from regular VLANs and also from primary,
isolated, and community VLANs.

Tip: Cisco recommends the use of standard trunk ports if both switches
that undergo trunking support PVLANs.

Because VTP does not support PVLANs, you must manually configure PVLANs
on all switches in the Layer 2 network. If you do not configure the primary and
secondary VLAN association in some switches in the network, the Layer 2
databases in these switches are not merged. This situation can result in
unnecessary flooding of PVLAN traffic on those switches.

A PVLAN trunkport can carry multiple secondary and non-PVLANs. Packets
are received and transmitted with secondary or regular VLAN tags on the PVLAN
trunk ports.

Only IEEE 802.1q encapsulation is supported. Isolated trunk ports allow
you to combine traffic for all secondary ports over a trunk. Promiscuous trunk
ports allow you to combine the multiple promiscuous ports required in this
topology in a single trunk port that carries multiple primary VLANs.

Use isolated Private VLAN trunk ports when you anticipate the use of
Private VLAN isolated host ports to carry multiple VLANs, either normal VLANs
or for multiple Private VLAN domains. This makes it useful for connecting a
downstream switch that does not support Private VLANs.

Private VLAN Promiscuous Trunks are used in situations where a Private
VLAN promiscuous host port is normally used but where it is necessary to carry
multiple vlans, either normal vlans or for multiple Private VLAN domains. This
makes it useful for connecting an upstream router that does not support Private
VLANs.

You get this error message: %PM-SP-3-ERR_INCOMP_PORT:
<mod/port> is set to inactive because <mod/port> is a trunk port

This error message can be displayed for multiple reasons, as discussed
here.

Explanation - 1: Due to hardware limitations, Catalyst
6500/6000 10/100-Mbps modules restrict the configuration of an isolated or
community VLAN port when one port within the same COIL ASIC is a trunk, a SPAN
destination, or a promiscuous PVLAN port. (The COIL ASIC controls 12 ports on
most modules and 48 ports on the Catalyst 6548 module.) The
table in the Rules and
Limitations section of this document provides a breakdown of the port
restriction on the Catalyst 6500/6000 10/100-Mbps modules.

Resolution Procedure - 1: If there is no support for
PVLAN on that port, pick a port on a different ASIC on the module or on a
different module. In order to reactivate the ports, remove the isolated or
community VLAN port configuration and issue the
shutdown command and no
shutdown command.

Explanation - 2: If the ports are configured manually
or by default to dynamic desirable or dynamic
auto mode.

Resolution Procedure - 2: Configure the ports as
access mode with the switchport mode access command.
In order to reactivate the ports, issue the shutdown
command and no shutdown command.

Note: In Cisco IOS Software Release 12.2(17a)SX and later releases, the 12
port restriction does not apply to WS-X6548-RJ-45, WS-X6548-RJ-21 and
WS-X6524-100FX-MM Ethernet switching modules. For more information on
configuration limitations of PVLAN with other features, refer to the
Limitations
with Other Features section of
Configuring
Private VLANs (PVLANs).

Cannot add a private vlan mapping to a port with another Private port in
the same ASIC.
Failed to set mapping between <vlan> and <vlan> on <mod/port>

Port with another Promiscuous port in the same ASIC cannot be made
Private port.
Failed to add ports to association.

Explanation: Due to hardware limitations, Catalyst
6500/6000 10/100-Mbps modules restrict the configuration of an isolated or
community VLAN port when one port within the same COIL ASIC is a trunk, a SPAN
destination, or a promiscuous PVLAN port. (The COIL ASIC controls 12 ports on
most modules and 48 ports on the Catalyst 6548 module.) The
table in the Rules and
Limitations section of this document provides a breakdown of the port
restriction on the Catalyst 6500/6000 10/100-Mbps modules.

Resolution Procedure: Issue the show
pvlan capability command (CatOS), which indicates if a port can
become a PVLAN port. If there is no support for PVLAN on that particular port,
pick a port on a different ASIC on the module or on a different module.

Note: In Cisco IOS Software Release 12.2(17a)SX and later releases, the 12
port restriction does not apply to WS-X6548-RJ-45, WS-X6548-RJ-21 and
WS-X6524-100FX-MM Ethernet switching modules. For more information on
configuration limitations of PVLAN with other features, refer to
Limitations
with Other Features section of
Configuring
Private VLANs (PVLANs).

On Catalyst 6500/6000 devices with MSFC/MSFC2, ARP entries learned on
Layer 3 PVLAN interfaces do not age out.

Resolution: ARP entries that are learned on Layer 3
private VLAN interfaces are sticky ARP entries and do not age out. The
connection of new equipment with the same IP address generates a message, and
there is no creation of the ARP entry. Therefore, you must manually remove
PVLAN port ARP entries if a MAC address changes. In order to add or remove
PVLAN ARP entries manually, issue these commands: